Reverse Logistics Magazine
Google     RL Magazine Web
Thursday - November 14, 2019 
Reverse Logistics Magazine - Edition 99
View Edition 99

Reverse Logistics Magazine - Edition 98
View Edition 98

IT Asset Disposition in the Age of Cybersecurity

IT Asset Disposition in the Age of Cybersecurity

by Angie Ransom, Retail Division and David Brent, Vice President, Marketing and Business Developm, , ERI Direct

Reverse Logistics Magazine, Edition 96

Return to Menu

In today’s world the world of cybersecurity, there is much attention focused on topics such as
blockchain, machine learning and AI, improved penetration testing, application vulnerability
testing, and more. Certainly, all of these are critically important issues in the effort to protect
digital data.
However, as governments, corporations and individuals struggle to do all they can to improve
the fight against cyber thieves, it has become significantly more attractive -- and ultimately
more productive -- to strike at another potential vulnerability – end-of-life hardware (ie:
hardware that contains personal or private data).
Without a comprehensive, individual review of every major law, regulation, and standard
regarding data privacy and protection of sensitive information, it bears mentioning that all
ultimately require policies and procedures (either directly or implied) for data
destruction/sanitization of protected information to be compliant.
With the acceleration of technology and larger on board non-volatile memory (NVRAM), data
security requirements have expanded to an increasing number of devices, compounded by the
growing number of legacy devices many organizations have stockpiled. Warehouse scanners,
POS devices, printers, cameras, smartcards, network devices, and copying machines are all
likely to contain data.
Across the nation, many legacy storage devices such as CDs and backup data tapes still exist –
in warehouses, storage rooms, and closets. Items such as televisions and monitors generally do
not have NVRAM, but even screen “burn in” can be of concern for organizations with the
highest security requirements.
Even with a robust asset disposition policy, things can go horribly wrong. Assets will inevitably
be processed by third-party service providers at some point in the disposition process, either
relying on service providers with a core competency in data sanitization or further downstream
for recycling.
A PBS report (“Ghana: Digital Dumping Ground”) in 2009 highlighted the risk of failing to
perform due diligence on service providers. A correspondent and several graduate journalism
students from the University of British Columbia traveled to Ghana to document the mountains
of e-waste shipped there from developed nations, including the United States.

ERIDIRECT.COM | 1-800-ERI-DIRECT (374-3473) | 7815 N. Palm Ave., Ste. 140 Fresno, CA 93711
In addition to the e-waste dumping grounds, salvaged hard drives were being sold in open-air
markets. The locals acknowledged that cybercriminal syndicates would purchase them to
retrieve any personal data they could find. A student purchased some of the hard drives for the
equivalent of $35.
As it turned out, one of these drives originated from a prominent U.S. government contractor. It
contained sensitive contract data from the Defense Intelligence Agency, NASA, the Pentagon,
and Homeland Security, including confidential TSA hiring procedures. No cyber-attack. No
network breaches. No warning. $35 in an open-air market in Africa is all it took to obtain
classified information.
The exporting of e-waste to developing countries remains a serious problem. The fundamental
issue is that it costs significantly less to ship electronic assets to developing countries than to
process them securely and responsibly. Container ships from Asia to U.S. ports will typically
return empty, so it is extremely cheap to transport e-scrap to Asia. From there it is disseminated
to other countries, including Pakistan and Ghana. There is no current comprehensive U.S. law
that prevents shipment of e-scrap to developing countries. There is an international treaty, the
Basel Convention, that restricts the flow of e-waste to developing countries; however, the U.S.
has not ratified that treaty. Regardless of legislation, the damage to brand and reputation for a
retailer in particular can be severe due to consumer backlash.
A 2018 study conducted by ERI identified 134 supplier sites of ITAD, e-recycling, or both that
have been fined, de-certified, suspended, or have shipped e-scrap to developing nations.
Unfortunately, the number of such incidents continues to increase.
The important takeaway is how crucial and urgent it is to carefully select and audit any supplier
that is a key partner in your asset disposition strategy, ensuring they are doing what they
commit to do.
The following spotlight on the situation with one printer emphasizes the point.
Spotlight on the Lowly Printer
Printers are a common device found in corporate headquarters, retail stores, distribution centers,
and warehouses. Printer volatile memory will clear upon powering down. However, printer

ERIDIRECT.COM | 1-800-ERI-DIRECT (374-3473) | 7815 N. Palm Ave., Ste. 140 Fresno, CA 93711
NVRAM will retain sensitive data including embedded web server passwords, POP3/SMTP
data, recently printed documents, and related data, depending on the printer.
Post Script and PJL scripts, a generic printing language supported by many laser printers, are
available on the Internet from both reputable and black hat sources to do a data dump from a
printer’s NVRAM. All that is required is a USB cable to connect to the printer. Accordingly,
the NVRAM must either be cleared, or the device destroyed in a responsible manner to
safeguard the data.
Unfortunately, the following scenario is all too common:
A vendor describes itself as a “company with global presence in the electronics recycling
industry. Our facility is certified with R2 and ISO certification.” Additionally, its environmental
policy statement is: “With our zero-landfill policy, [Vendor] guarantees no single piece of
electronic device will end up in a landfill anywhere in the world and thus, reducing the liability
of our clients and the damage done to the environment.”
Further, it also identifies on its website as being certified by the EPA and CalRecycle. However,
the EPA does not certify e-recyclers and this company’s status with CalRecycle is inactive.
They are not R2 certified, which, along with Basel Action Network’s e-stewards program, is
one of the two recognized responsible recycling certifications.
The Basel Action Network ( is a non-profit watchdog organization focused on
bringing awareness as to where e-waste eventually ends up, publishing results from the use of
GPS trackers on devices such as printers. One printer from the referenced vendor was tracked
by BAN as follows:
 July 6, 2017 Houston, Texas
 July 21, 2017 Carson, California
 Aug. 24, 2017 Port of Hong Kong
 August 28, 2017 Hong Kong, New Territories
 November 13, 2017 Port of Karachi
 November 22, 2017 Lahore, Pakistan
This sample case study is just used as one of many examples reported by BAN. No matter how
it happened, or who was responsible, the printer (and all of its data) ended up in Pakistan. The
bottom line question -- is it an acceptable risk that your organization’s and its customers’
sensitive data end up in Pakistan?

ERIDIRECT.COM | 1-800-ERI-DIRECT (374-3473) | 7815 N. Palm Ave., Ste. 140 Fresno, CA 93711
Every organization must have robust policies and procedures for all potential data-bearing
devices. More than just a “check box,” organizations need to actively review and audit third
party service providers handling data destruction and recycling, including a review of chain of
custody, downstream vendors of the primary service provider, and in-person observation of the
service provider’s operations and processes.
Due diligence should include verification that the service provider is National Association for
Data Destruction (NAID) certified, not just a member of that organization. It is straightforward
to become a member, but certification requires rigorous evaluation and submission to random,
unannounced audits that many service providers are not willing to allow.
Further, and as recommended by the EPA, service providers and potentially their downstream
vendors should hold R2 or e-Stewards certification (preferably both) at all facilities. Both
require service providers to adhere to rigorous standards and documented methodologies. This
helps ensure responsible e-recycling and prevents improper disposal that not only could result
in a data breach but is hazardous to the environment and could result in fines and penalties to
the source organization as the “generator” under RCRA.

This article was provided by ERI, the largest fully integrated IT and electronics asset
disposition provider and cybersecurity-focused hardware destruction company in the United
States. ERI is certified to de-manufacture, recycle, and refurbish every type of electronic device
in an environmentally responsible manner. ERI has the capacity to process more than a billion
pounds of electronic waste annually at its eight certified locations, serving every zip code in the
United States. ERI’s mission is to safeguard organizations, people and the environment.  For
more information about e-waste recycling and ERI, call 1-800-ERI-DIRECT or visit
Angie Ransom leads the Retail Division of ERI, the largest fully integrated IT and Electronics Asset Disposition service provider in the United States. Angie has worked with ERI for over 13 years, helping safeguard organizations. Her expertise includes: retail products, program analysis, day-to-day operations, and compliance.

David Brent is the Vice President, Marketing and Business Development of ERI. David has held executive level positions in two public companies, entrepreneurial ventures, and consulting to organizations in a wide range of industries including energy, financial services, automotive, electronics manufacturing, and pharmaceuticals
Return to Menu

Reverse Logistics Association Reverse Logistics Magazine Reverse Logistics Magazine Reverse Logistics Magazine Certified Green Website